6to4 traffic on sit tunnel is dropped as spoofed

[lmb]

We're seeing the following in dmesg:

[Thu Apr 11 13:22:44 2019] sit: Src spoofed 108.X.X.X/2002::Z -> 108.Y.Y.Y/2606::Q

As far as we can tell, this is because the encapsulated source IP uses the 6to4 prefix, presumably this is a legit client. We traced this to https://elixir.bootlin.com/linux/v4.19.6/source/net/ipv6/sit.c#L622, which means that the packet is dropped after this message is logged.

The configuration for our tunnel:

11: sit1@ethX: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/sit 108.Y.Y.Y brd 0.0.0.0

It seems like it might be possible to work around this using ip tunnel 6rd dev sit1 6rd-prefix fc00::/32 (see https://elixir.bootlin.com/linux/v4.19.6/source/net/ipv6/sit.c#L771), but that seems hacky.

cc @arthurfabre who did the debugging on this.

Have you encountered this issue as well? Is there a better way to fix this / are we doing something wrong?

[robloxrob]

Have you tried disabling rp_filter on those interfaces?